Cyborg
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.4.121
We have two ports: 22 which is running ssh and 80 which is running http
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 22,80 -oN nmap 10.10.4.121
Enumeration
Lets visit the webserver
Its a default Apache2 page, lets run gobuster to find hidden directories and files.
There is an admin directory, lets go check it out
Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information
Looks like there is a backup called music_archive. We also get another hit on gobuster
/etc/ directory , this might be config files that Alex was talking about, lets go visit it.
Clicking on the folder we see some interesting files
We have a squid.conf file and a passwd file. Lets download these to our machine.
wget http://10.10.4.121/etc/squid/<file-name>
Lets check these files out
Looks like a hash, lets crack this using john the ripper
We found a password: squidward. Lets look at the other file
Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here.
Lets download this.
The archive is a tar file, lets click ok after selecting save file. Now lets check its contents.
tar -xvf archive.tar
We found these files, I went through many of them and many did not make sense except this one.
Looking at this information I went to google and searched on this topic and found this page, which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was GitHub.
Next I went here as it said that it had recent releases.
I downloaded the Linux file.
Lets list the files , I tried using it when I got this message
borg list home/field/dev/final_archive
And so I downloaded the tool, now lets list the files
borg list home/field/dev/final_archive
Earlier in our enumeration we found a password: squidward, lets use that.
borg list home/field/dev/final_archive
And it worked, we have an archive file called music_archive , now lets extract this file too.
borg extract home/field/dev/final_archive/::music_archiveIts asks for a password, and I just used the before and it worked.
We extracted a folder called alex. Navigating through it, I found this file
It has nothing interesting, I also found this file
It has a username and password. Lets try to login with these credentials through ssh.
We are logged in. We can also cat the user.txt file
Privilege Escalation
Lets run sudo -l to see what we can run as root.
Looks like we can run this file, lets see what it does.
Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the article that after googling. So for a summary, passing the bash script -c arguments , getopts will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command.
sudo /etc/mp3backups/backup.sh -c bash
We are now root, but none of the commands worked.
What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands.
chmod 4577 /bin/bash
exit
bash -p
cd /root
cat root.txtUsing these commands we can read the root flag.
Last updated
Was this helpful?